auto secure

notgoing2fail

When doing the auto-secure, one step lockdown via SDM.

It offers the ability to undo changes right? How does it do this? Does it store the original config in your PC's RAM?

It seems to be a feature that you cannot do in the CLI....so I'm just wondering??

tiersten

notgoing2fail wrote: »

When doing the auto-secure, one step lockdown via SDM.

It offers the ability to undo changes right? How does it do this? Does it store the original config in your PC's RAM?

It seems to be a feature that you cannot do in the CLI....so I'm just wondering??

If you don't like the changes then don't save them to the startup config. You can set an option in SDM to show you the commands it wants to send before actually sending them.

It is a feature of SDM so you can't do it via the CLI.

peanutnoggin

tiersten wrote: »

If you don't like the changes then don't save them to the startup config. You can set an option in SDM to show you the commands it wants to send before actually sending them.

It is a feature of SDM so you can't do it via the CLI.

Tiersten, I believe you're referring to the "Preview Commands" under Edit-->Preferences. However, I think the OP was specifically talking when you perform the one step lockdown, there is a small checkbox (if I remember correctly) that allows you to undo the recent changes performed by the one step lockdown.

OP, I'm just guessing here... but I'm thinking that the SDM performs a copy run start before it runs its one step lockdown... and if you do not like the changes it makes, it'll perform a copy start run to undo all of the changes. Can someone verify this information? Thanks.

Bl8ckr0uter

peanutnoggin wrote: »

OP, I'm just guessing here... but I'm thinking that the SDM performs a copy run start before it runs its one step lockdown... and if you do not like the changes it makes, it'll perform a copy start run to undo all of the changes. Can someone verify this information? Thanks.

I think you are right, Auto Secure creates a copy run start I believe. I can check this a little later.

tiersten

peanutnoggin wrote: »

Tiersten, I believe you're referring to the "Preview Commands" under Edit-->Preferences.

Yeah.

peanutnoggin wrote: »

However, I think the OP was specifically talking when you perform the one step lockdown, there is a small checkbox (if I remember correctly) that allows you to undo the recent changes performed by the one step lockdown.

I've never used the one-step lockdown option before. The most I've done is run the security audit option and then reviewed what it recommended. I don't trust SDM to do everything properly in this regard since even Cisco admits that you might get locked out.

peanutnoggin wrote: »

OP, I'm just guessing here... but I'm thinking that the SDM performs a copy run start before it runs its one step lockdown... and if you do not like the changes it makes, it'll perform a copy start run to undo all of the changes. Can someone verify this information? Thanks.

It won't do that. There is the possibility that you actually block yourself from using SDM with the router because of the rules it applies and if it did save it to the startup config then you're going to need a site visit. I've tried it on a spare router here and the startup configuration never changed.

Nothing appears in NVRAM or the flash either so I'm unsure what exactly it does when rolling back.

notgoing2fail

Thanks guys, yes, I was referring the ability to undo changes.

I'm going to check my SDM tomorrow.

There are checkboxes for you to selectively undo any changes so it doesn't have to be an all or nothing "rollback" kind of thing.

I'm curious how SDM handles this, obviously the CLI can't do an undo, but I think it's good to know how this works.

The part that got me was that you can "selectively" choose which ones.

So SDM is somehow holding your original config, and mapping those checkboxes to each command that you want to undo.

I don't need to know the programming side of how SDM works, just if it's using RAM, or cookies, or some temporary text file in the flash directory of the router...something..??

tiersten

I can't run the undo option in the audit portion because it doesn't work for me on this router. Not sure why it is being flakey but this router is running 15.1T and SDM might not like that.

tiersten

notgoing2fail wrote: »

So SDM is somehow holding your original config, and mapping those checkboxes to each command that you want to undo.

I don't need to know the programming side of how SDM works, just if it's using RAM, or cookies, or some temporary text file in the flash directory of the router...something..??

It knows what your original config had and what the changes it made were so it probably just remembers it in RAM. If the undo option is working for you then it should be fairly easy to test.

Save the configuration so you have a backup.
Enable the command preview option.
Run the lockdown option. See what it wants to send and then send it.
Run the undo option. See what it wants to send and then send it.
Run the lockdown option again. Let its send.
Close SDM.
Open SDM and try to undo. See what it wants to do.

Nothing appears in flash or the NVRAM when I try the lockdown option on my router so it isn't being kept there. It only sends some commands as well because my original configuration had nearly everything it wanted to do anyway. The configuration doesn't have any comments added by SDM either that would mark specific lines as being created by the lockdown tool.

SDM does generate a tiny file in your profile directory when you run it but it doesn't appear to be specific to a router. The file is some sort of Java options file and named after the SDM version, router model and IOS version + feature set. It doesn't contain any router configuration options.

The CLI auto secure commands do something different than SDM so it isn't based on that either. SDM is inspecting and generating the rules itself. The CLI auto secure gives a different configuration and it doesn't have a rollback feature.